CVE-2008-2463

Microsoft Access - 'Snapview.ocx 10.0.5529.0' ActiveX Remote File Download

Severity Score

6.8

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message, probably involving use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method. NOTE: this can be leveraged for code execution by writing to a Startup folder.

El control ActiveX Microsoft Office Snapshot Viewer en snapview.ocx, distribuido en Snapshot Viewer and Microsoft Office Access 2000 through 2003, permite a atacantes remotos descargar archivos de su elección a un equipo cliente a través de un documento HTML o mensaje de correo manipulados. NOTA: esto puede ser aprovechado para ejecutar código si se escribe la carpeta de inicio (StartUp).

*Credits: N/A

CVSS Scores

NISTv2 6.8

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2008-05-28 CVE Reserved
2008-07-07 CVE Published
2008-07-24 First Exploit
2024-08-07 CVE Updated
2024-11-01 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (14)

URL	Tag	Source
http://secunia.com/advisories/30883	Third Party Advisory
http://www.kb.cert.org/vuls/id/837785	Third Party Advisory
http://www.microsoft.com/technet/security/advisory/955179.mspx	X_refsource_confirm
http://www.securityfocus.com/bid/30114	Vdb Entry
http://www.securitytracker.com/id?1020433	Vdb Entry
http://www.us-cert.gov/cas/techalerts/TA08-189A.html	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA08-225A.html	Third Party Advisory
http://www.vupen.com/english/advisories/2008/2012/references	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/43613	Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6120	Signature

URL	Date	SRC
https://www.exploit-db.com/exploits/6124	2008-07-24
https://www.exploit-db.com/exploits/16605	2010-09-20
http://www.exploit-db.com/exploits/6124	2024-08-07

URL	Date	SRC

URL	Date	SRC
http://marc.info/?l=bugtraq&m=121915960406986&w=2	2017-09-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Office Snapshot Viewer Activex Search vendor "Microsoft" for product "Office Snapshot Viewer Activex"				office_2003 Search vendor "Microsoft" for product "Office Snapshot Viewer Activex" and version "office_2003"		-		Affected
Microsoft Search vendor "Microsoft"		Office Snapshot Viewer Activex Search vendor "Microsoft" for product "Office Snapshot Viewer Activex"				office_xp Search vendor "Microsoft" for product "Office Snapshot Viewer Activex" and version "office_xp"		-		Affected
Microsoft Search vendor "Microsoft"		Office Snapshot Viewer Activex Search vendor "Microsoft" for product "Office Snapshot Viewer Activex"				office2000 Search vendor "Microsoft" for product "Office Snapshot Viewer Activex" and version "office2000"		-		Affected